Alleged Heartbleed Hacker Arrested in Canada

The Royal Canadian Mounted Police (RCMP) yesterday announced that Stephen Arthuro Solis-Reyes, 19, of London, Ontario, had been arrested and charged with one count of Unauthorized Use of Computer and one count of Mischief in Relation to Data in connection with the recent theft of 900 Canadian taxpayer's personal data from the Canada Revenue Agency (h/t Sophos).

According to the Canada Revnue Agency, the data was stolen over a six-hour period by someone leveraging the Heartbleed bug.

"The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible," Assistant Commissioner Gilles Michaud said in a statement. "Investigators from National Division, along with our counterparts in 'O' Division, have been working tirelessly over the last four days analyzing data, following leads, conducting interviews, obtaining and executing legal authorizations and liaising with our partners."

"I just think it is totally inappropriate to try to destroy a kid's life before he even has an opportunity to speak to a lawyer and get legal advice," Faisal Joseph, Solis-Reyes' lawyer, told the Toronto Sun. "And now they're going to make a national spectacle out of him."

Solis-Reyes' home was searched on April 16, 2014, and computer equipment was seized. He is scheduled to appear in court in Ottawa on July 17, 2014.

"It's unclear what Solis-Reyes's motivations were," writes Sophos' Lee Munson. "But it's important to remember that while security researchers and other interested parties may like to think that testing for Heartbleed or other vulnerabilities may be ethical and useful in purpose, the law may not agree."